Troy Hunt has put together a video that demonstrates various ways that traffic coming from an unencrypted web site can be dicked around with, for various nefarious purposes, using a technique called a Man In The Middle (MITM) attack.
You can usually tell if a web site is encrypted by looking at your web browser’s address bar. For example, URLs for this web site (boot13.com) should appear in the address bar with a lock, followed by https:// rather than the unencrypted http://. If you try to access any part of this site using http://, you’ll be redirected to the equivalent https:// address.
Although the video does get a bit technical, it’s worth watching all 24+ minutes. You should understand enough of it to see the danger.
Perhaps the most interesting of Troy’s observations is that encrypting a web site doesn’t really provide any direct benefit to the site’s owner. This is not about protecting your web site; it’s about protecting its visitors. In other words, encrypting your web site is an act of altruism.
After watching Troy’s video, I immediately started an evaluation of all my own web sites, as well as those of clients, to make sure that all traffic coming from them is encrypted. Most are already using HTTPS, but some don’t force the use of HTTPS.
Troy Hunt’s video
If you run a web site, you should realize by now that there’s no good reason to avoid turning on encryption. It’s also easier than ever, and — thanks to Let’s Encrypt — no longer has to cost anything. The HTTPS Is Easy video series is a good starting point if you’re not sure how to proceed.
In my experience, the SUG is much easier to digest in the form of a spreadsheet, so the first thing I do there is click the small Download link at the right edge of the page, to the right of the Security Updates heading. If you have Excel — or something compatible — installed, you should be able to open it directly.
Once the spreadsheet is loaded, I recommend enabling the Filter option. In Excel 2007, that setting is in the Sort & Filter section of the Data ribbon (toolbar). This makes every column heading a drop-down list, which allow you to select a particular product or platform, and hide everything else.
Analysis of this month’s updates from the SUG spreadsheet shows that there are sixty-two distinct updates, addressing fifty-three security vulnerabilities in Flash, Internet Explorer, SharePoint, Visual Studio, Edge, Office applications, .NET, and all supported versions of Windows. Seventeen of the updates are flagged as Critical.
Have you been getting a lot of scam phone calls lately? I sure have. On both the land line and my business cell phone. Some callers claim that I’m being sued by the government or that I’m under investigation. Others want me to think there’s something wrong with my computer and that they have the only fix.
I’m pretty good at spotting these scams, and for me, they’re sometimes entertaining, but usually just annoying. For some people, especially elderly folks with little technical knowledge, these calls can be a horrible trap.
The latest Firefox release features faster page load times and tab switching, improvements to search provider setup, an improved dark theme, better bookmark syncing, and at least eighteen security fixes.
Settings related to the home page and ‘new tab’ page are now in their own section on Firefox’s Options pages. You can access the new section directly using this URL: about:preferences#home.
A new version of Google’s web browser was announced on June 12. Chrome 67.0.3396.87 (change log) is a bug fix release; a single security vulnerability is addressed. Check your version by navigating Chrome’s menu to Help > About Google Chrome.
According to the release notes, this month’s updates affect Internet Explorer, Edge, Windows, Office, Office Services and Web Apps, Flash embedded in IE and Edge, and ChakraCore. Analysis of the information in the SUG reveals that there are forty updates, fixing fifty-one separate vulnerabilities. Eleven of the vulnerabilties are flagged as Critical.
The vulnerability fixed in Firefox 60.0.2 is flagged as having both Critical and High impact by Mozilla, and since there are as yet no details in the official vulnerability database for CVE-2018-6126, it’s difficult to know which is correct.
Regardless, if you use Firefox, you should update it as soon as possible. Depending on how it’s configured, Firefox will usually at least let you know that a new version is available within a few hours after it’s published. If not, you can usually trigger an update by clicking the ‘hamburger’ menu icon at the top right, then selecting Help > About.
To check your Chrome version, click the vertical-ellipses icon at the top right of its window, then select Help > About Google Chrome. If an update is available, it will usually start downloading automatically.
If you’re using Flash, and in particular if you use a web browser in which Flash is enabled, you should update Flash as soon as possible. On Windows systems, you can do that by going to the Windows Control Panel, then clicking the Flash component. In the Flash Player Settings Manager, go to the Updates tab and click Check Now. That will take you to the official About Flash page, where you can check whether Flash is currently installed, see which version is installed, and download the latest version. Depending on your browser configuration, you may have to click the small gray rectangle to the right of the introductory text, then confirm that you want to allow Flash content to play.
As usual, browsers with embedded Flash (Edge, Chrome, Internet Explorer) will get the new version via their own update mechanisms.
Update 2018Jun11: According to the latest report from security researchers at Talos, the list of routers affected by VPNFilter is now much larger. The malware’s capabilities are now better understood, and include the ability to intercept and modify network traffic passing through affected devices. To see the updated list of devices known to be affected by VPNFilter, scroll to the bottom of this page and look for the heading Known Affected Devices.Bruce Schneier weighs in.
Over the last week or so, you’ve probably noticed several stories about some malware called VPNFilter. For most people — and for a number of reasons — VPNFilter doesn’t pose a significant risk. But it’s a good idea to make sure. Here’s what you need to know:
VPNFilter is designed to infect SOHO (Small Office / Home Office, aka consumer-grade) network routers and Network Attached Storage (NAS) devices. It appears to have been active since 2016, and is known to have infected hundreds of thousands of devices worldwide.
Only a few specific router models are known to be vulnerable to VPNFilter, but there may be more. The list of vulnerable devices includes several models from Linksys, Mikrotik, Netgear, QNAP, and TP-Link. If you know (or can find) the make and model of your router, check to see whether it’s on the list.
On May 23, the US Justice Department announced that they had effectively neutered VPNFilter by taking over one of its command and control domains. But VPNFilter remains on many infected devices, as do the vulnerabilities that allowed infection in the first place.
The FBI is asking everyone on Earth who manages or is responsible for any consumer-grade router, to restart it. This will remove the second stage of a VPNFilter infection from a router. It may seem like overkill, but until we have a complete list of vulnerable devices, it’s a risk-free way to disrupt VPNFilter’s activities.
If you think your device has been infected — perhaps because it’s on the list of known affected devices — the only way to fully remove the infection is to reset the device to its factory settings. This sounds simple but can actually be problematic. Resetting a router can cause connected devices to lose access to the Internet, and things gets worse from there. If you want to attempt this, you should first log into your device’s web interface and document all important settings, because you’ll need to reconfigure the device after it’s been reset. Disconnect the device from the Internet before resetting it, because its administration password will be reset to a known default. Change that password as soon as possible after the reset.
If you manage your own router or NAS device, it’s critically important to configure it sensibly. That means changing its default password, and disabling any features that allow for remote (i.e. from the Internet) administration.
News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.